6 Replies
      Latest reply on Jul 18, 2019 8:17 PM by john daniel
      Rulovic Level 1 Level 1 (0 points)

        Hello,

        I am creating an application. This application would need to be in accessibility list to work properly.

        I am using bash script to install it. That script must be run with root privileges. Is it possible to add the application to the list of apps with accessibility permissions? Using bash I mean

        My target OS version would be MacOS 10.14 Mojave

         

        I have read something about Privileged Helper Tools. Is that the way to go ??

         

        If it is not possible to add application to accessibility list using bash. At least is it possible to check if this application is already on that list. I could present popup to the user telling him to do it and then check if it has been added

         

        Thanks in advance and Regards

        • Re: Add application to accessibility list from bash
          kmiskolczi Level 1 Level 1 (0 points)

          Try checking out this post on StackExchange, as I think it's still relevant enough to answer your question: https://apple.stackexchange.com/questions/178313/change-accessibility-setting-on-mac-using-terminal

          If you plan to continue support for this feature for your app in Catalina too, you might want to make your script with .zsh friendliness in mind too. Even with the shebang properly placed for you script to allow bash, sometimes the syntax differences for .zsh can throw unnecessary errors.

           

          To help a little more than just giving you a link though, here's how you would actually accomplish:

          Assuming you already have the sqlite tools for macOS via command line, which can be found here: https://www.sqlite.org/download.html

            • Run sqlite3 and enter
              .open /Library/Application Support/com.apple.TCC/TCC.db
            • Then run appropriate query to view what you're looking for, e.g. for the entire table do:
              SELECT * FROM access;
              as `access` is the table that displays which applications have been entered into this tab...
              • If you wanted just the application names, you could do:
                SELECT client FROM access;
                but know that the application will be displayed as it's domain entry, and it will appear that there are duplicates if you don't do something like
                SELECT client FROM access WHERE service='kTCCServiceAccessibility';
                which will just show you the `Accessibility` entry instead of both the `Accessibility` entry, AND the `PostEvent entry`.
              • piping your results to a more readable view, can be done with this documentation from sqlite, at entry #5: https://sqlite.org/cli.html
              • to run these queries, or even read this database, you/users have to have SIP disabled

           

          If instead you want to do this via the GUI, you can run:

          open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility

          to display the tab to the user, and then use the accessibility dictation commands via Siri, to enter keydown & similar commands. But if you do it this way, the users' password has to be entered, and the user has to have dictation via Siri already on.

           

          ** Special note: Doing this via a bash script, normally alerts the users more often to your activities, but if you were to incorporate this into the C languages' "system" line where you had a variable of let's say

          char = viewSecurityPane;

          set equal to

          system("open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility");

          you can bypass the "Let Terminal make system events" alert.

            • Re: Add application to accessibility list from bash
              eskimo Apple Staff Apple Staff (11,835 points)

              kmiskolczi wrote:

              To help a little more than just giving you a link though, here's how you would actually accomplish:

              The approach you’ve recommended is not supported.  In general, the location and format of system database are not considered public API, and thus it’s not safe to build a product that relies on that (even if just in the installer).  In this specific case, my understanding is that the TCC database is now protected by SIP.


              Coming back to Rulovic’s original question, I do not believe that there’s a supported way to programmatically add your app to the list of accessibility approved apps.  The whole point of TCC is that the user must provide consent, and they do that by manually adding your app to this list.  Attempting to bypass that is not going to end well.

              Share and Enjoy

              Quinn “The Eskimo!”
              Apple Developer Relations, Developer Technical Support, Core OS/Hardware
              let myEmail = "eskimo" + "1" + "@apple.com"

                • Re: Add application to accessibility list from bash
                  kmiskolczi Level 1 Level 1 (0 points)

                  I already mentioned these actions currently require the disabling of SIP. Applications are being installed with high frequency/regularity outside of the Apple App Store, via services like Mac Update, MacPorts, Homebrew, Setapp, etc. All of which require SIP to be disabled at some point if not permanently; so the suggestion is not irrelevant.

                • Re: Add application to accessibility list from bash
                  Rulovic Level 1 Level 1 (0 points)

                  Hello,

                  Unfortunately running command

                    1. .open /Library/Application Support/com.apple.TCC/TCC.db

                  Returns:

                  Error: unable to open database "/Library/Application": unable to open database file

                   

                  So I think is not possible anymore to manipulate tcc DB

                  I tried also to create bash script to display accessibility panel:

                  #!/bin/bash
                    
                  system("open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility")
                  
                  

                   

                  But I get:

                  ./test.sh: line 3: syntax error near unexpected token `"open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility"'
                  ./test.sh: line 3: `system("open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility")'
                  
                  

                   

                  What am I doing wrong?

                  Thanks

                    • Re: Add application to accessibility list from bash
                      kmiskolczi Level 1 Level 1 (0 points)

                      You'll have to re-read my original response. The bash you wrote is mixed use, the system line is a C-langauge syntax, not a bash syntax. The bash syntax is simply:

                      open x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility

                       

                      Take a look at Sal Soghoian's macosxautomation website. (Just google for URL), it will have these commands in links that you can click to help show you their behaviors on a preview basis.

                       

                      I am not recommending violating the security of your users' computer, which is what some of these actions will do, and that's why I haven't explicitly written the code for you.

                      • Re: Add application to accessibility list from bash
                        john daniel Level 3 Level 3 (400 points)

                        Your problem is that that path has a space in it. You would need to escape the space or quote the entire path.

                         

                        Well, let me rephrase. The problem with that specific "open" command is the space. And the problem with the other open command is the question mark.

                         

                        But a more fundamental problem is that you are even attempting this in the first place. Please review with eskimo said. In macOS, it is the end user that has the ultimate power over the system, not the root user. This is a fundamental design change from traditional Unix. You cannot and should not attempt to bypass it. Eskimo is being a bit coy in saying "Attempting to bypass that is not going to end well". What does that really mean? I may mean that you spend months developing an app only to see it rejected by Apple and getting yourself kicked out of the Apple developer program. For a Mac app no less. There isn't even any money to be made there. That what the iOS App Store is for. Why would you want to take that kind of risk?

                         

                        Is there some specific reason why you need root? Some reason other than hacking accessibility, which root can't even do?

                         

                        If not, then you can just display a dialog asking the user to add the app to accessibility. If that's your market (for whatever reason), they should be able to do that themselves. If they can't, then you probably don't want them as customers. And I mean that respectfully. Some people just shouldn't be running certain apps.

                         

                        And finally, please don't ever use "bash". "bash" is an interactive shell. For political reasons, it switched to using a restrictive license over ten years ago and Apple has been unable to update it ever since. If you do need to perform some shell operation, stick to "/bin/sh". Don't assume that any future version of macOS will include or allow ANY shell operations. I always tell people to think of how they would implement something in iOS and use that approach for the Mac. It is virtually guaranteed to be successful and future-proof.

                         

                        And for the record, services like MacUpdate, MacPorts, Homebrew, SetApp, etc. do NOT require SIP to be disabled.

                         

                        If you did want to deep-link into System Preferences, then you can use those "x-apple.systempreferences" URL. But it is silly to do that from bash. And the bash syntax that you have been given is flat-out wrong. Instead, you can have your app open that specific area in system preferences itself via NSWorkspace. Then you don't have to worry about escaping the question marks for bash. However, please be aware that this will make your app ineligible for the Mac App Store. If you are OK with your app living perpetually in the weeds while the best customers in the world are shopping inside the walled garden, then go for it.